Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit "the human factor," this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts.

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation). Zero days can be sold and purchased by governments or malicious actors when they are not disclosed to the affected vendor. The problem with zero days is that there are no detections, however, we argue that what can be detected is what happens after the zero day exploits a system.

Windows and the effectiveness of 0-day exploits

Apart from the inherent issue that these are all 0-days and neither vendors nor end users knew about the vulnerability or exploit, all of these 0-days leverage the exploited process to spawn other processes. This gives the blue team a great opportunity to detect exploits or other behaviors that leverage this technique. By monitoring the processes that are spawned from other processes, it allows for the identification of processes that should not be starting. For example, if you see Microsoft Word running powershell.exe, that is probably malicious activity. Head to detect and respond section for more. 2ff7e9595c